5 Ways to Secure Your Containers for Docker

and Beyond

7 of the top 10 Software Companies

(44 of the top 100)

6 of the top 8Mobile Handset Vendors

6 of the top 10 Investment Banks

24Countries

250+Employees

1,800Customers

Who is Black Duck Software?

27Founded

2002

Understanding Container

Technologies

Docker 1.10 and and later

Level Set: What is a Container?

Linux Containers Docker 1.10 and prior

Linux kernel

namespaces cgroups

SELinux/AppArmor

liblxc

Linux kernel

namespaces cgroups

SELinux/AppArmor

Docker

libcontainer

Container Container Container Container Container Container

Docker Engine

runC

containerd

runC runC

containerd-shim containerd-shim containerd-shim

Container Use Cases

Application containers

• Hold a single application

• Can follow micro-services design pattern

• Starting point for most container usage

• Short lifespan, many per host

System containers

• Proxy for a VM

• Insulate against core operating system

• Perfect for legacy apps

• Long lifespan, few per host

MyS

QL

Tom

cat

ngin

x

Kernel

MySQL

Tomcat

nginx

Kernel

Are Containers Production Ready?

Container Deployment Models

Container Deployment Models

Securing the Container

Contents and Environment

#1 – Trust Your Container Source

Atomic Host

Ato

mic

App

Ato

mic

App

Ato

mic

Nule

cule

Ato

mic

Nule

cule

RedHat Registry

MyS

QL

Redis

Jenkin

s

Docker Hub

Docker

Conta

iner

Docker

Conta

iner

Docker

Conta

iner

Docker

Conta

iner

Docker

Conta

iner

Third Party and Custom

Problem: Who to trust, and why?

• Trusted source?

• Unexpected image contents

• Locked application layer

versions (e.g. no yum update)

• Layer dependencies

(monolithic vs micro-services)

• Validated when?

DEVELOPER DOWNLOADS

OUTSOURCED DEVELOPMENT

THIRD PARTY LIBRARIES

CODE REUSE

APPROVED COMPONENTS

COMMERCIAL APPS

OPEN SOURCE CODE

Remember – Open Source Components are Ubiquitous

#2 – Determine Who Can Launch A Container

Container default is root access

• RBAC/ABAC is orchestration specific

Docker Datacenter

• Universal Control Plane

• RBAC – LDAP/AD/local users

• Full/Restricted/View/None

Kubernetes

• Authorization modules

• Admission controllers

#3 – Define Sensible Network Policies

• Docker default network is Linux Bridge

• Access policy defined in iptables

• Based on Docker daemon startup

• External communication on by default

• -- iptables=off to disable iptables modification

• Inter container communication on by default

• -- icc=false to disable inter container communication

• -- link=CONTAINER_NAME_or_ID:ALIAS with EXPOSE ports from Docker file

• All inter-container/cross host communication is external

• `docker network` command simplifies aspects of network design

• Create user defined networks, including overlay networks

• docker network create --driver bridge sql

Docker Networking - Example

Host

eth0/10.204.136.1

Conta

iner

veth

0

Conta

iner

veth

1

Conta

iner

ve

th2

Conta

iner

veth

3

Conta

iner

veth

4

Conta

iner

ve

th5

docker0

NAT/ 172.16.1.0/24

iptables

Host

docker0

eth0/10.204.136.2

Conta

iner

veth

0

Conta

iner

veth

1

Conta

iner

ve

th2

Conta

iner

veth

3

Conta

iner

veth

4

Conta

iner

ve

th5

NAT/ 172.16.1.0/24

iptables

Host

Kubernetes Networking - Example

Kubernetes Network

eth0/10.204.136.20

Pod

Conta

iner

Pause

Conta

iner

Conta

iner

veth0/10.204.136.21

Pod

Conta

iner

Pause

Conta

iner

Conta

iner

veth0/10.204.136.22

Host

Kubernetes Network

eth0/10.204.136.10

Pod

Conta

iner

Pause

Conta

iner

Conta

iner

veth0/10.204.136.11

PodC

onta

iner

Pause

Conta

iner

Conta

iner

veth0/10.204.136.12

0

500

1000

1500

2000

2500

3000

3500

1999 2000 2001 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013 2014 2015

Open Source Vulnerabilities Reported Per YearBDS-exclusive nvd

Reference: Black Duck Software Knowledgebase, NVD

#4 – Perform Vulnerability Tracking

Knowledge is Key. Can You Keep Up?

glibc

Bug

Reported

July 2015

Vuln: CVE-2015-7547: glibc getaddrinfo stack-

based buffer overflow

Knowledge is Key. Can You Keep Up?

glibc

Vuln

Introduced

May 2008

glibc

Bug

Reported

July 2015

CVE-2015-

7547

CVE

Assigned

Feb 16-2016

Low Security RiskVuln: CVE-2015-7547: glibc getaddrinfo stack-

based buffer overflow

Knowledge is Key. Can You Keep Up?

glibc

Vuln

Introduced

May 2008

CVE-2015-

7547

CVE

Assigned

Feb 16-2016

glibc

Bug

Reported

July 2015

National

Vulnerability

Database

Vuln

Published

Feb 18-2016

Moderate Security Risk

Low Security RiskVuln: CVE-2015-7547: glibc getaddrinfo stack-

based buffer overflow

Knowledge is Key. Can You Keep Up?

glibc

Vuln

Introduced

National

Vulnerability

Database

Vuln

Published

You

Find It

May 2008

CVE-2015-

7547

CVE

Assigned

Feb 16-2016 Feb 18-2016

glibc

Bug

Reported

July 2015

Patches

Available

You

Fix It

Highest Security Risk

Moderate Security Risk

Low Security RiskVuln: CVE-2015-7547: glibc getaddrinfo stack-

based buffer overflow

#5 – Limit the Scope of Compromise

• Enable Linux Security Modules

• SELinux

• --selinux-enabled on Docker engine, --security-opt=“label:profile”

• AppArmor

• -- security-opt=“apparmor:profile”

• Apply Linux kernel security profiles

• grsecurity, PaX and seccomp protections for ALSR and RBAC

• Adjust privileged kernel capabilities

• Reduce capabilities with --cap-drop

• Beware –cap-add and –privileged=false, and CAP_SYS_ADMIN

• Use a minimal Linux Host OS

• Atomic host, CoreOS, RancherOS

• Reduce impact of noisy neighbors

• Use cgroups to set CPU shares and memory

Using Black Duck Hub to Simplify

Container Security

Attackers Decide What’s Valuable …

But security investment is often not aligned with actual risks

Black Duck Hub Architecture

Hub Scan1 File and Directory Signatures2 Open Source

Component Identified

3

Hub Web ApplicationBlack Duck

KnowledgeBase

On Premises Black Duck Data Center

8,500WEBSITES

350BILLION LINES OF CODE

2,400LICENSE TYPES

1.5MILLION PROJECTS

76,000VULNERABILITIES

• Largest database of open source project

information in the world.

• Vulnerabilities coverage extended through

partnership with Risk Based Security.

• The KnowledgeBase is essential for identifying

and solving open source issues.

Comprehensive KnowledgeBase

Hub Provides Easy Methods to Determine Risk

Open source license compliance

• Ensure project dependencies are understood

Use of vulnerable open source components

• Is component a fork or dependency?

• How is component linked?

Operational risk

• Can you differentiate between “stable” and “dead”?

• Is there a significant change set in your future?

• API versioning

• Security response process for project

Integrations Matter

INVENTORY

Open Source

Software

MAPKnown Security

Vulnerabilities

IDENTIFYLicense

Compliance Risks

TRACKRemediation

Priorities &

Progress

ALERTNew Vulnerabilities

Affecting You

INVENTORY

Open Source

Software

MAPKnown Security

Vulnerabilities

IDENTIFYLicense

Compliance Risks

TRACKRemediation

Priorities &

Progress

ALERTNew Vulnerabilities

Affecting You

We Need Your Help

Knowledge is power• Know what’s running and why

• Define proactive vulnerability response process

• Don’t let technology hype cycle dictate security

Invest in defense in depth models• Don’t rely on perimeter security to do heavy lifting

• Do look at hypervisor & container trends in security

• Make developers and ops teams part of the solution

• Do embed security into deployment process

Together we can build a more secure data center

Free Tools to Help

Free Docker Container Security Scanner

• https://info.blackducksoftware.com/Security-Scan.html

14 Day Free Trial to Black Duck Hub

• https://info.blackducksoftware.com/Demo.html

• Red Hat Atomic Host Integration (Requires Black Duck Hub)

• atomic scan --scanner blackduck [container]

Recap: Top 5 Ways to Secure Your Production Containers

Know the source of your container images

Create well defined authorization and authentication model

Implement a restrictive network policy

Limit scope of compromise in container host

Monitor deployments for vulnerability disclosures

If you have any questions on the content in this presentation

Tweet Tim Mackey @TimInTech or Black Duck Software

@black_duck_sw, and use the hashtag #5ways in your question. Follow

us such that we can use direct messages for detailed discussion. It’s

likely we’ll convert the question into a blog post such that everyone

benefits from the discussion.

Q&A